A while back my Credit Union implemented a “Multi-Factor Authentication” system for their online services, as required by law. Like most banks, they went cheap. In additional to a password my account now has three “challenge” questions associated with it. I can regularly recall the answers to just two.
They also implemented an “Anti-Phishing” system. I give them my username and they show me an image. Instead of pre-canned images they generate an image based on a word / phrase that I give them. I chose “fuckinglame” because that’s what this crap is.
Now, in addition to that, they play games with Cookies and IP addresses. When I successfully answer a “challenge” question I’m given the option of “Registering” my computer, an option which I generally select since I can’t remember the answers to all of the challenges. They give my computer a Cookie and it’s all good.
Until my IP address changes. Then I can’t get in. I get Challenged. Then I give them my Password. Then it tells me there is a problem, that I should delete my Cookies and Restart my browser. I usually do them one better — fire up Firefox, delete all of it’s Cookies because I don’t use Firefox much so it has no Cookies that I would like to keep, and then restart Firefox just to be sure that I’ve got a clean start. Go thru the Account, Challenge, Password process again. Same error.
Because it’s not just the cookies, they are tracking the IP addresses that I connect from. If I log in from work during the day, I can’t log in from home at night until I connect up to the VPN, sign in to online banking (via the Office’s IP address), and find the place they hid the button to un-register my computer, at which point I can sign off the VPN and successfully log in from my Home’s IP address. On the rare occasion that my Home IP address actually changes, I’m screwed until their system forgets the old IP on it’s own several days later.
What kills me is that several of the credit cards I’ve recently cancelled had similar MFA systems, but not a single one has locked me out for daring to connect from two different IP addresses in the same day. That, and my Credit Union is of course a “member owned” non-profit — they could have made the choice to provide real security instead of this crap without having to justify it to shareholders demanding profits.
Of course it’s Congress that is truly to blame, for writing stupid laws. Too bad that isn’t a crime…
0 Responses to “Fucking Lame”